Tetrate Service BridgeVersion: nextSecurity Use Cases
Discover the ways in which you can protect or limit access to your services
JWT Authentication
Configure JWT token validation:
annotations:
gateway.tetrate.io/host: "secure-api.example.com"
gateway.tetrate.io/jwt-issuers: |
- issuer: "https://accounts.google.com"
jwksUri: "https://www.googleapis.com/oauth2/v3/certs"
audiences: ["your-client-id"]
- issuer: "https://auth.company.com"
jwksUri: "https://auth.company.com/.well-known/jwks.json"
OIDC Authentication
Enable OpenID Connect:
annotations:
gateway.tetrate.io/host: "app.example.com"
gateway.tetrate.io/protocol: "HTTPS"
gateway.tetrate.io/tls-secret: "app-tls"
gateway.tetrate.io/path: "/app"
gateway.tetrate.io/oidc-enabled: "true"
gateway.tetrate.io/oidc-config: |
grantType: "AUTHORIZATION_CODE"
clientId: "demo-client"
clientTokenSecret: "demo-client-secret"
redirectUri: "https://app.example.com/callback"
provider:
issuer: "https://keycloak.example.com/realms/master"
authorizationEndpoint: "https://keycloak.example.com/realms/master/protocol/openid-connect/auth"
tokenEndpoint: "https://keycloak.example.com/realms/master/protocol/openid-connect/token"
jwksUri: "https://keycloak.example.com/realms/master/protocol/openid-connect/certs"
OIDC Configuration Fields:
grantType: OAuth2 grant type (default: "AUTHORIZATION_CODE")clientId: OIDC client identifierclientTokenSecret: Kubernetes secret containing client credentialsredirectUri: Callback URI after successful authenticationprovider: OIDC provider configurationissuer: OIDC issuer URLauthorizationEndpoint: OAuth2 authorization endpointtokenEndpoint: OAuth2 token endpointjwksUri: JSON Web Key Set URI for token validation
Rate Limiting
Protect your services from abuse:
annotations:
gateway.tetrate.io/host: "api.example.com"
gateway.tetrate.io/rate-limits: |
# Global rate limit - 100 requests per minute per IP
- dimensions:
- remoteAddress:
value: "*"
limit:
requestsPerUnit: 100
unit: MINUTE
# API key based limit - 1000 requests per hour
- dimensions:
- header:
name: "x-api-key"
limit:
requestsPerUnit: 1000
unit: HOUR
CORS Configuration
Enable Cross-Origin Resource Sharing:
annotations:
gateway.tetrate.io/host: "api.example.com"
gateway.tetrate.io/cors-policy: |
allowOrigin:
- "https://app.example.com"
- "https://dashboard.example.com"
allowMethods:
- GET
- POST
- PUT
- DELETE
allowHeaders:
- "Content-Type"
- "Authorization"
- "X-Request-ID"
exposeHeaders:
- "X-Response-ID"
maxAge: "3600s"
allowCredentials: true
WAF Protection
Enable Web Application Firewall with OWASP ModSecurity rules:
annotations:
gateway.tetrate.io/host: "webapp.example.com"
gateway.tetrate.io/waf-enabled: "true"
This will automatically configure the following default WAF rules:
Include @recommended-conf- ModSecurity recommended configurationSecRuleEngine On- Enable rule processing engineSecResponseBodyAccess Off- Disable response body inspection for performanceInclude @crs-setup-conf- Core Rule Set setup configurationInclude @owasp_crs/*.conf- OWASP Core Rule Set for common web attacks
Custom WAF Rules
You can also specify custom WAF rules using the custom-config annotation:
annotations:
gateway.tetrate.io/host: "webapp.example.com"
gateway.tetrate.io/waf-enabled: "true"
gateway.tetrate.io/custom-config: |
waf:
rules:
- "SecRuleEngine DetectionOnly"
- "SecDebugLogLevel 5"
The custom rules will replace the default OWASP rules, giving you full control over WAF configuration.
External Authorization
Delegate authorization decisions to an external service:
annotations:
gateway.tetrate.io/host: "api.example.com"
gateway.tetrate.io/protocol: "HTTPS"
gateway.tetrate.io/tls-secret: "api-tls"
gateway.tetrate.io/authz-external: "http://authz-service.security:8080/authorize"
The external authorization service will be called for each request, and must return a 200 status code to allow the request to proceed. This enables integration with custom authorization systems, policy engines like OPA, or external identity providers.